Topics

OpnSense needs a corporate server adapter for the client workstations. Basically ZeroTier with Loopback, and Proxy functionality.

The purpose is ultimately to run OpnSense on Windows machines and have it intercept ALL traffic on the instance that the 'user' is 'using'.

It will help with blocking ads in the future.

The beast is going to use this to program your karma.

We need security middleware capable of reading any incompressible string in memory.

Mandiant & Sysinternals utilities can help with this project.

The purpose is to find any encryption key, machine wide to decrypt any traffic on the computer at all running through the browser at least, and send to a local IDS instance

Security Onion on Mikrotik Tilera is my design for this.

If you have any ides about it post here.

I reached out to Dell about copyright. I haven't heard back yet. There is a custom Compellant Raid Adapter, with the following on board:

3.33 Ghz Wolfdale w/ a 15 Watt Heatsink.
Spartan 3 Xilinx with 256 MB DDR2 / NAND Flash (Raid 1)
12.5 Farad Ultracapacitor for a battery backup
Old Intel 2x Gig NIC Controller Chip (Secure / Unflashable):
NH82546GB
Spansion GL06N90FFI02

PCI-2 v2 x8

I was loading these on HP 57xx Thin Clients, and I was going to pull the driver from the 3 Compellant SC040 servers that I had bought, as their OS is in BSD. The deep state was so covetous the ruined my career, and stole my gear, under the guise of taxes, and an eviction.

That said netherlands funded the Mayflower.

The OS for the Compellant SC030/40 is in BSD, so the drivers are as well.

This card should be useful for the Suricata engine.

Opswat does the best file analysis I've seen. Basically Virustotal & Fireeye.

I haven't used the on premise, but they have a chrome plugin that works extremely well.

The cost isn't wretched.

Does anyone know if this works with graphics card acceleration, or is that going to stay deprecated?

I've been able to export the certificates using the links in the web interface, and then copy pasting them into the import fields on the other sites firewalls.

The issue I'm having is trust for the CA Cert. The Server Certificate for one of the VPNs is showing self signed, and the CA Cert for that VPN shows having signed the Users certificate for that VPN, but not the Servers.

To be clear I'm using a different CA, Server, and User certs for all VPNs. In order to segment the network.

I'm having issues getting CARP VIP sync to work on Mikrotik switches. Changing the VHID didn't help. So I set all the interfaces to use IP Alias.

XMLRPC sync works just fine for all High Availability settings via a dedicated interface.

DHCP failover didn't work at all using IP Aliases. The interface does say to use CARP, so I am assuming it means CARP VIP, and not High Availability.

All three interfaces were showing either:

'My State':
communications-interrupted
recover

'Peer State':
normal
unknown-state

or vice versa.

Removing the failover IP allows both peers to serve IP addresses.

Typically in this case I will assign a part of the subnet to each peer, or add a subnet delay.

Am I right in thinking that the CARP VIP is the issue, and that I can't use IP Alias for DHCP Failover?

I've built 2 HA clusters using 17.1. All the same hardware.

XMLRPC sync works fine.
VPN on the master works fine. (Service start, logs, connectivity, etc.)
WAN is a CARP VIP.
Everything else works fine.

The backup firewall cannot start it's OpenVPN service. There are no logs in the firewall.

The 2nd pair of firewalls is a bit more interesting. I had to use IP Alias for both LAN / WAN. CARP didn't work with the switch for some reason. The first OpenVPN synced, and starts on both firewalls. I setup a 2nd VPN using the wizard, and it syncs fine, but the service for it won't start on the backup firewall. I set the logging to 11 on the master, which synced to the backup, but no logs for service start on the backup.

The primary VPN is WAN > LAN
The 2nd VPN is for LAN > Management

The 2nd instance is using 1195 UDP, and 192.168.11.0/24 to defer from the primary VPN.

The goal is to require multifactor VPN to the firewall before being able to access administrative interfaces on the network devices.

Is there any thing else I can check here?

What are the recommendations to have the firewall segment traffic depending on VPN type, or user? I only see the 'OpenVPN' interface listed under Firewall > Rules. The ovpns1, and ovpns2 aren't defined in the GUI that I can see.

I have two firewalls setup with CARP / HA. xml rpc sync is failing after upgrading, which may be a separate issue.

I setup the OpenVPN server with certificates, and user / password. I was able to connect the VPN, and ping the main firewall only (on any interface). I tried reconfiguring various settings, but nothing worked. I ripped out the firewall rules, and server vpn, and just used the wizard, but still have the same exact problem:

I can ping the CARP, LAN, and LAN (CARP VIP) addresses from the VPN, as well as the 'default gateway' that is issued to my client without issue. Before I updated to 17.1.5, and broke the xml rpc sync I was still connected to the VPN via the fwback firewall, while the fwmain firewall was rebooting, so the WAN CARP VIP was working fine as well.

I am using 169.254.x.x for the actual WAN addresses of both firewalls, with no issues so far, so these interfaces are not pingable from the VPN. These interface addresses are all pingable:

192.168.1.254 (LAN CARP VIP)
192.168.1.251 (LAN fwmain)
172.16.1.251 (CARP fwmain)
192.168.10.1 (gateway address, for some reason the gateway address changes it has been .1 through .5)

I could never ping any other address on the LAN, including the backup firewall 192.168.1.250 (fwback) over the VPN.

None of the settings seem to affect this problem (including 'Topology'); I have spent a few hours testing permutations.

I have IDS enabled, but not IPS.

The CARP interface is a broadcom gigabit chip. The other 4 interfaces are all Intel Gigabit Pro 1000. They are all configured the same, and in the same order.

I updated to 17.1.5 in the hopes that maybe it would fix something? It didn't affect the issue, but broke xml rpc sync (it auto submitted a bug report for this, twice, using the same email that I have registered for the forums:

"An Error occured while attempting XML RPC sync ... /xmlrpc.php parse error. not well formed"

I was thinking that the update broke something, but I don't know how to check.

I am stuck. I don't see any setting to tweak to allow access to the LAN over the VPN.

I am using Windows 8.1 Clients running over Vmware workstation (on a Windows 8 host). I have tried both 'Bridged', and 'NAT' for the Vmware settings, but they behave exactly the same way. I am using the current Viscosity client.

It doesn't seem that the firewall itself is releasing traffic.

The original 2 firewall rules as created by the Wizard had to be modified:
The UDP 1194 inbound rule had to be changed to 'any' instead of 'WAN' since it's using the WAN CARP VIP, and not the actual WAN address.

I added a LAN rule to allow traffic from 192.168.10.0/24 to test it.

The original rule under the 'OPENVPN' interface is still there. I noticed that under 'Interfaces / Assignments' there is a 'ovpns1' interface that isn't assigned to anything. I had also tried assigning this interface a static IP address on the tunnel subnet of 192.168.10.0, but that only prevented pinging the firewall itself as well. That was the point where I ripped everything out, and disabled, and then deleted that interface. After updating to 17.1.5 it seems to be working as it was before; I can still ping any (routable) interface on fwmain, but nothing else.

Any help is greatly appreciated.

I have a VoIP phone that someone was trying to port scan (at least) the other day. It has a few SIP test accounts on it. One of the providers apparently got hacked. The first round of scans came over a VPN tunnel in Germany. So I Geo Blocked the world 'United States (not)'. A few hours later they started again from a U.S. IP.

I was looking for a way to automatically lookup if an IP is a known VPN tunnel, or TOR Relay. I came across GetIPIntel, which accurately classified all the IPs I threw at it. For now I just disabled inbound calls from that provider. This would be a fantastic option along the lines of GeoIP / SpamHaus Drop / eDrop (which are already configured).

He provides some php code for this:
https://github.com/blackdotsh/getIPIntel

I like the multi scanner AV approach that VirusTotal provides. There is apparently an ICAP server for this here:
https://github.com/sooshie/VirusTotal-ICAP

I don't personally trust Symantec, or Mcafee (lots of problems with their software over the years). Kaspersky apparently doesn't know which skus support ICAP (Storage Server?)

I reached out to VirusTotal to ask them if it would violate their ToS for home use, and of the possibility of using their commercial version 'VirusTotal Intelligence', though I don't know what that would cost. I'll update this if I hear back from them. It's possible these guys are a worth a shot as well:
https://www.opswat.com/solutions/prevent-malicious-downloads-proxy-servers-icap

Update:
I heard back from Virustotal, asking about using the icap server listed above, they just said that I needed the public API key (by signing up for a free account), so I'm guessing that it doesn't violate the ToS. I haven't heard back regarding pricing yet for their business / intelligence subscription.

Here is a 'setup' link for Metadefender:
https://www.opswat.com/blog/scan-network-traffic-using-proxy-server-metadefender-proxy